Systems and methods for automatically creating normalized security events in a cybersecurity threat detection and mitigation platform

We claim: 1. A computer-implemented method for accelerating a detection of a cybersecurity threat, the method comprising: at a cybersecurity service implemented by a network of distributed computers: obtaining, via one or more computers, raw event data from a third-party security device of a subscriber; automatically selecting, via the one or more computers, an automated event ingestion instruction of a plurality of distinct automated event ingestion instructions for processing the raw event data by evaluating one or more characteristics of the raw event data against predetermined event ingestion criteria; automatically generating a pre-normalized security event that includes the raw event data in a first structured data object that is interpretable by the cybersecurity service in response to executing the automated event ingestion instruction, wherein: the pre-normalized security event includes a set of un-normalized evidence data fields extracted from the raw event data, the set of un-normalized evidence data fields extracted from the raw event data are encoded in a data format native to the third-party security device, and each un-normalized evidence data field of the set of un-normalized evidence data fields is paired with a corresponding evidence data value as recorded by the third-party security device; automatically transforming the pre-normalized security event to at least one normalized security event, wherein automatically transforming the pre-normalized security event to the at least one normalized security event includes: obtaining, from a computer database of the cybersecurity service, a set of computer-executable data mapping instructions of a security data integration defined for the third party-security device, extracting, from the pre-normalized security event, the set of un-normalized evidence data fields in response to executing the set of computer-executable data mapping instructions against the pre-normalized security event, converting the set of un-normalized evidence data fields extracted from the pre-normalized security event to a set of normalized evidence data fields native to the cybersecurity service in response to executing the set of computer-executable data mapping instructions against the pre-normalized security event, and generating the at least one normalized security event that includes the set of normalized evidence data fields and the corresponding evidence data value in a second structured data object that is interpretable by the cybersecurity service; automatically assessing, via the one or more computers, a corpus of computer-executable detection instructions against the at least one normalized security event; generating, via the one or more computers, a security alert based on the at least one normalized security event satisfying a set of alerting conditions of a subject computer-executable detection instruction of the corpus of computer-executable detection instructions; and executing, in real-time or near real-time, a threat mitigation response that mitigates a security threat associated with the security alert. 2. The computer-implemented method according to claim 1 , wherein the plurality of distinct automated event ingestion instructions includes: a first automated event ingestion instruction that is configured to translate the raw event data obtained from the third-party security device to the pre-normalized security event when the raw event data is of a first raw event data type, a second automated event ingestion instruction that is configured to translate the raw event data obtained from the third-party security device to the pre-normalized security event when the raw event data is of a second raw event data type, and a third automated event ingestion instruction that is configured to translate the raw event data obtained from the third-party security device to the pre-normalized security event when the raw event data is of a third raw event data type, wherein the first raw event data type, the second raw event data type, and the third raw event data type are different raw event data types. 3. The computer-implemented method according to claim 1 , wherein: the subject computer-executable detection instruction is constructed using a detection-building graphical user interface, wherein constructing the subject computer-executable detection instruction includes: instantiating, via the one or more computers, the detection-building graphical user interface based on receiving a request from a user, wherein the detection-building graphical user interface includes: a plurality of detection-identifying user interface input elements configured to receive, from the user, one or more strings of text that characterize the subject computer-executable detection instruction, and a set of user interface buttons, that when operated, is configured to control whether the subject computer-executable detection instruction is used for only the subscriber or across all subscribers subscribing to the cybersecurity service. 4. The computer-implemented method according to claim 3 , wherein: the detection-building graphical user interface further includes an automated investigations control button that, when selected, is configured to display a drop-down menu element of a plurality of alert taxonomies, the automated investigations control button is configured to receive a selection, from the user, of one of the plurality of alert taxonomies, and the subject computer-executable detection instruction, when executed, is configured to execute a set of automated investigation workflows digitally mapped to the one of the plurality of alert taxonomies based on receiving the selection of the one of the plurality of alert taxonomies from the user. 5. The computer-implemented method according to claim 3 , wherein instantiating the detection-building graphical user interface further includes instantiating a detection instruction simulation container on the detection-building graphical user interface based on receiving an input, from the user, selecting a detection simulation addition control button of the detection-building graphical user interface, wherein the detection instruction simulation container is configured to receive, from the user, input of a historical raw event generated by the third-party security device for validating that the subject computer-executable detection instruction is executed correctly in response to normalizing the historical raw event and providing a normalized representation of the historical raw event to the subject computer-executable detection instruction. 6. The computer-implemented method according to claim 3 , wherein instantiating the detection-building graphical user interface further includes instantiating a detection instruction execution container on the detection-building graphical user interface based on receiving an input, from the user, selecting a detection instruction execution control button of the detection-building graphical user interface, wherein: the detection instruction execution container includes a signal type user interface element that, when selected, displays a drop-down menu element of a plurality of technology source-agnostic event signal types provided by the cybersecurity service, and one or more condition-setting user interface elements being configured to receive inputs of characters that define one or more alert generation conditions that must be satisfied prior to generating the security alert using the subject computer-executable detection instruction. 7. The computer-implemented method according to claim 6 , wherein instantiating the detection-building graphical user interface further includes instantiating a detection instruction response container on the detection-b